ASP.NET 2.0 security..

[Paul Aspinall]

Can anyone point me to an article which shows how to control access to
certain web pages, for different forms authenticated users.

I would ideally like to decide if users can 'view' 'edit' 'create' or
'delete' on each page, and therefore some sort of status flag would be
needed, to indicate the level of security granted.

Any pointers to sample code appreciated.

Thanks

 

[Alec MacLean]

Generally, I would use a database to determine what areas or page sections a
given user is able to see. This would require the user registering at your
site of course, but then they would need to do something of this sort in
order to get a login, right?

I can thoroughly recommend using the Microsoft Patterns & Practices
Application Blocks. In particular, I use the DAAB for data driven apps
(both Win form and Web form). Note that this is geared for Framework 1.1,
but is 2.0 compatible - it just doesn't know about some of the new data
features. (The 2.0 version is being written at the moment and is
"imminent".)

I can also recommend the Wrox book list for very useful detailed background
info and examples. I have "ASP.NET Security" (though note that it was
written for framework 1 prior to sp-1). - I've just taken a look at the
Wrox site and of course they've got a new title out: "Pro ASP.NET 2.0
Security, Membership and Role Management". Perhaps this would be of value
to you?

How are you going to determine which rights they are entitled to? Will an
administrator have to examine each account and manually assign rights, or
will you be able to set a default set?

If this is for an intranet scenario, perhaps you have access to a staff
directory DB? You could add your access rights for your app to a sub-table
of this system perhaps, or have a query that crosses access that other DBO.

Hope that helps.

Al

 

[ElronVel]

Maybe you need the Membership Services of the new ASPNET 2.0

But in the case you need to roll your own. Here is the gist.

First each authenticated users may somehow belong to some roles (1 or
more roles for each user set up in the database). The approach is
common, I generally use some kind of mapping to assign 'features' to
'roles'. How do you store this mapping, is up to you. Storing it
Web.config would be nice because it easily available to the app.

For example:
view ---> admin, secretary, janitor
edit ---> admin
create ----> admin, secretary
delete ---> admin

In your code, before going into the 'feature', simply evaluate the
current 'role(s)' of the user if it is in the mapping. For the
example above, before loading view (or before displaying view button
in page load or prerender), determine if the current role (or roles)
is in ( admin, secretary, janitor). Take appropriate steps (like
displaying error, hiding the button, etc.) Create a handy method to
do this membership function.

This makes an easily configurable security in your app.

Thats it, good luck!

 

[Ken Cox - Microsoft MVP]

Hey Paul,

There's a tutorial on Membership here:

http://www.asp.net/Tutorials/quickstart.aspx